Lower bounds for Private Broadcast Encryption - Main

Lower bounds for Private Broadcast Encryption Aggelos Kiayias and Katerina Samari Department of Informatics and Telecommunications, University of Athens?? {aggelos,ksamari}@di.uoa.gr

Abstract. Broadcast encryption is a type of encryption where the sender can choose a subset from a set of designated receivers on the fly and enable them to decrypt a ciphertext while simultaneously preventing any other party from doing so. The notion of private broadcast encryption extends the primitive to a setting where one wishes to thwart an attacker that additionally attempts to extract information about what is the set of enabled users (rather than the contents of the ciphertext). In this work we provide the first lower bounds for the ciphertext size of private broadcast encryption. We first formulate various notions of privacy for broadcast encryption, (priv-eq, priv-st and priv-full) and classify them in terms of strength. We then show that any private broadcast encryption scheme in the sense of priv-eq (our weakest notion) that satisfies a simple structural condition we formalize and refer to as “atomic” is restricted to have ciphertexts of size Ω(s · k) where s is the cardinality of the set of the enabled users and k is the security parameter. We then present an atomic private broadcast encryption scheme with ciphertext size Θ(s · k) hence matching our lower bound that relies on key privacy of the underlying encryption. Our results translate to the setting priv-full privacy for a ciphertext size of Θ(n · k) where n is the total number of users while relying only on KEM security. We finally consider arbitrary private broadcast encryption schemes and we show that in the priv-full privacy setting a lower-bound of Ω(n+k) for every ciphertext is imposed. This highlights the costs of privacy in the setting of broadcast encryption where much shorter ciphertexts have been previously attained with various constructions in the non-privacy setting.

1

Introduction

Consider the setting of an encrypted file system. Each file is encrypted so that only a designated subset of the set of users of the system can retrieve it. An attacker, who may be controlling a set of system users should be incapable of recovering the contents of the file provided that none of the controlled users belong to the enabled set for the file. This setting is one of the application domains for broadcast encryption, a cryptographic primitive introduced by Fiat and Naor [9]. Broadcast encryption is also suitable for application to the setting of content distribution and is indeed ??

This research was supported by ERC Project CODAMODA.

2

Aggelos Kiayias and Katerina Samari

widely used as the encryption system of DVDs (for example in the form of the AACS [1]) and other media content carrying mechanisms. A variety of schemes have been developed over the years with the main objective of reducing the ciphertext length. Currently in the private key setting (see e.g. [14]) there are schemes that achieve a ciphertext length of Θ(r · k) where r is the number of revoked users and k is the security parameter; in the public-key setting, using bilinear maps the scheme of [4] achieves a ciphertext length of O(k) with public key of O(n · k) for any set of enabled users and the scheme of Delerabl´ee [6] achieves a ciphertext length O(k) while the public-key is of size Θ(s·k) assuming that sets of enabled users never exceed cardinality s. Barth, Boneh and Waters [3] put forth the notion of private broadcast encryption. Their objective is to consider another class of attacks for broadcast encryption where the goal of the attacker is to discover information about the set of enabled users rather than decrypting a ciphertext for which it is not enabled. Protecting the privacy of the users in the enabled set can be an equally and some times perhaps an even more important goal than the privacy of the message. Indeed, hiding the information that one is a recipient of a message, from other users and even from other recipients of the same message, is a critical security feature in any setting where the fact of receiving a message at a certain time or frequency reveals sensitive personal characteristics of the recipient. For example, in a file system, an encrypted system file under a certain account may reveal that the said account has a certain level of system privileges and this fact can assist an attacker in a more complex attack vector. To address this important problem, Barth et al. [3] introduced a security model for private broadcast encryption and provided a first solution. The scheme of [3] applies to the public-key setting and has the characteristic of being linear in the number of users, i.e., has a ciphertext of length Θ(s · k) where s is the number of enabled users. Given that, as shown above, previously known (nonprivate) schemes achieve much better ciphertext lengths, it is an important open question to improve this efficiency characteristic for private broadcast encryption schemes or demonstrate that no further improvement is possible. In this work, motivated by the above, we provide various results suggesting the latter state of affairs by proving tight lower bounds for the ciphertext length of private broadcast encryption schemes. We outline our results below. First, we study the formalization of the notion of privacy in the context of private broadcast encryption. We introduce three security formulations. The first notion we consider is inspired by that in [3] : it allows the adversary to interact with the broadcast encryption system by obtaining encryption and decryption queries as well as corrupting recipients. Upon completion of a first stage the adversary provides two target sets of users to be revoked R0 , R1 .Then, provided that |R0 | = |R1 |, the adversary receives as a challenge a message M and an encryption of M with the set of users Rb revoked where b is a random bit. The adversary has to guess the bit b under the constraint that it does not submit the challenge ciphertext to a decryption oracle and does not control any user in the symmetric difference R0 4R1 . We call this level of privacy priv-eq.

Lower bounds for Private Broadcast Encryption

3

We observe priv-eq is quite insufficient for many reasonable attack settings. Specifically, for a certain ciphertext the adversary may be absolutely certain that the set of users R is revoked and only wishes to test whether an additional target user i is also revoked or not. Clearly this attack objective is not captured by the above definition since in this case it holds that R0 = R and R1 = R ∪ {i}, two sets of different cardinality. We formalize this notion of privacy as priv-st. It is very easy to see that there exist schemes that satisfy priv-eq and fail priv-st; in particular, any scheme that leaks the cardinality of the set of revoked users is such a candidate and in fact the scheme of [3] is one such scheme. Taking this one step further we introduce full privacy to be the property where the adversary cannot distinguish any two sets R0 , R1 ; we term this notion as priv-full. We then prove that in fact priv-st and priv-full are equivalent. Armed with this definitional basis we proceed to our lower bounds. We first consider the case of atomic broadcast encryption schemes. Atomic schemes have the characteristic that the ciphertext can be broken to a number of discrete components and each recipient when it is decrypting it applies a decryption function to one or more of those components. The private schemes of [3] satisfy this condition and it is also quite common in the wide class of combinatorial broadcast encryption schemes; a partial list of non-private atomic schemes is the following ([14],[12],[11],[16], [2]). For such atomic schemes, we prove that any scheme that satisfies the priveq condition is susceptible to an attack against privacy in the case when the ciphertext drops below s · k where s is the cardinality of the set of enabled users. This means that a lower bound of Ω(s · k) is in place. We then present an atomic private broadcast encryption scheme with this complexity hence showing the lower bound is tight. The scheme itself is a standard linear length construction; the scheme applies equally to the symmetric and public-key setting and abstracts the necessary properties needed for privacy to the existence of secure key-private encryption mechanism in the KEM sense [15]. We present a similar set of results for the priv-full level of privacy; in this case KEM security is sufficient and the corresponding tight bound is Θ(n · k). Having settled the case of atomic broadcast encryption, we switch our focus to the setting of general private broadcast encryption schemes (that are not necessarily atomic). We first show using an information theoretic argument that any broadcast encryption scheme should exhibit some ciphertexts of length Ω(n+ k). Using this as a stepping stone we then prove that if a broadcast encryption scheme is assumed to be private in the sense of priv-st, priv-full, it will have to provide a ciphertext of length Ω(n + k) for any set of revoked users R hence a complexity bound sublinear in the number of users is impossible to be achieved if full privacy is desired. Related work. Independently of the present work, Libert, Paterson and Quaglia [13] have studied the problem of “anonymous broadcast encryption” where the main focus is to enable efficient decryption in the setting where the ciphertext is of length Θ(s · k). In this case the known schemes that satisfy privacy require from the users to test sequentially until they find the proper element they can

4

Aggelos Kiayias and Katerina Samari

decrypt. In the public-key setting this can be an arduous task if the number of enabled users is large; by using some randomized tagging mechanism it is possible to improve the decryption time complexity. Our modeling is consistent with that of [13] and our lower bounds readily apply to their setting as well. Fazio and Perera in [8], introduce a weaker notion of anonymity compared to the one considered here and in previous works, called outsider-anonymity. An Outsider-anonymous broadcast encryption scheme ensures that a user in the revoked set can gain no information about the enabled set while a member of the enabled set may extract information about some other users in it. Taking advantage of this relaxation to the anonymity definition, the authors employ an atomic scheme, i.e. the public key variant of Complete Subtree method [7], in order to achieve sublinear ciphertext size.

2

Privacy notions for broadcast encryption

Broadcast encryption is a triple hKeyGen, Encrypt, Decrypti where KeyGen generates a set of n keys for any given n and Encrypt receives a set of revoked users R ⊆ [n] that should be barred from decrypting. We define privacy in broadcast encryption using an experiment between a challenger and an adversary. The adversary is given access to an Encryption Oracle which means that he is capable of obtaining ciphertext-message pairs that can be decrypted by an enabled set of his choice. Also, he is able to derive the secret keys of a selected set of users, by submitting a number of queries to a Corruption Oracle. We will distinguish three levels of privacy in our formalization. In the most general type (full privacy), priv-full, the adversary should be unable to distinguish between any two sets of revoked users as long as the corrupted users do not cover the symmetric difference of the two sets. In the case of “single target” privacy, priv-st the adversary wishes to understand whether a single (target) user is included in an (otherwise) known revoked set. Finally, in privacy among equal sets, priv-eq, is identical to the case of priv-full with the additional restriction that the adversary should challenge on two sets with equal cardinality. Formally, we have the following: CorruptOracle(u) DecryptionOracle(u, c) EncryptionOracle(R) retrieve ek T ← T ∪ {u} D ← D ∪ {(u, c)} r m←M return Ku retrieve Ku c ← Encrypt(ek, m, R) return Decrypt(Ku , c) return (c, m) -x (1n , 1λ ) Experiment Exppriv A (ek, K1 , . . . , Kn ) ← KeyGen(1n , 1λ ) T←∅ (state, R0 , R1 ) ← ACorruptOracle(·),EncryptionOracle(·),DecryptionOracle(·) (1λ ) r b ← {0, 1} r m←M ∗ c ← Encrypt(ek, m, Rb )

Lower bounds for Private Broadcast Encryption

5

b∗ ← ACorruptOracle(·),EncryptionOracle(·),DecryptionOracle(·) (guess, (c∗ , m), state)
if ∃i ∈ T such that i ∈ (R0 4R1 ) ∨
∃(i, c) ∈ D such that i ∈ (R0 4R1 ) and c = c∗ then output a random bit else if b = b∗ then return 1 else 0; Definition 1 (Privacy). Let Φ be a fully exclusive broadcast encryption scheme with n receivers. We say that Φ is private priv-x, if for all PPT adversaries A, 1 + ε, 2 where ε is a negligible function of λ and λ is the security parameter. -x (1n , 1λ ) = 1] ≤ Prob[Exppriv A

Based on the definition above, we provide three different definitions for privacy whose differences concern the form of the challenge (R0 , R1 ). – We call Exppriv-full the experiment in which R , R can be any set which is 0

1

subset of [n]. – With Exppriv-st , we define the experiment where R0 , R1 have to be of the form R and R ∪ {i}, accordingly. – With Exppriv-eq , we define the experiment where R0 , R1 have to be of equal size. Consequently, it is necessary to add one more or-factor, (|R0 | 6= |R1 |), in the condition of the last line of the experiment, to guarantee that the experiment outputs a random bit in case the adversary’s challenge sets are of unequal size. We then proceed to show relations between the three notions of privacy. Theorem 1. 1. Privacy definitions priv-st and priv-full are equivalent. 2. Privacy definition priv-full implies the privacy definition priv-eq. 3. Privacy definition priv-eq does not imply privacy definition priv-st. Proof. 1. We need to prove two directions in order to show that these definitions are equivalent. The easy direction is the one which says that privacy definition priv-full implies privacy definition priv-st. If we assume that there exists a PPT adversary A that breaks privacy definition priv-st challenging a pair (R, R ∪ {i}) with non-negligible advantage α, this adversary also breaks privacy definition priv-full considering that R0 = R and R1 = R ∪ {i}. The opposite direction will be derived from lemma 1. 2. Assuming that there exists a PPT adversary that breaks privacy definition priv-eq having advantage α, then the same adversary does also break privacy definition priv-full with non-negligible advantage α. 3. It suffices to provide a broadcast encryption scheme which satisfies the definition priv-eq but not private according to the definition priv-full. Let Φ be a broadcast encryption scheme which is priv-eq. Now consider Φ0 to be exactly like Φ but with the added feature that the encryption algorithm appends at the end of all ciphertexts the cardinality of the revoked set. It is obvious that this scheme is inherently incapable of satisfying privacy definition priv-full (while it remains priv-eq). Such schemes exist under standard cryptographic assumptions as we will see in section 4. 

6

Aggelos Kiayias and Katerina Samari

Lemma 1. Let Φ be a broadcast encryption scheme with n receivers. If there exists a PPT adversary that has advantage α in breaking privacy definition priv-full, then there exists a PPT adversary that breaks privacy definition priv-st with probability at least 1/2 + α/n. Sketch of proof: Let A be a PPT adversary that breaks priv-full definition with advantage α. Conditioning on the fact that A breaks privacy for a pair of sets (R0 , R1 ), we consider a sequence of sets P0 , ..., Pk−1 , where k = |R0 4R1 | + 1, P0 = R0 and Pk−1 = R1 . We set m = |R0 \ R1 | and we define Pi as follows: if i ∈ {0, . . . , m} Pi = Pi−1 \ {j}, for some user j ∈ R0 \ R1 , otherwise Pi = Pi−1 ∪ {j 0 } for some user j 0 ∈ R1 \R0 . Namely, all the members of this sequence are supersets of R0 ∩ R1 and every pair of consecutive sets are of the form (R, R ∪ {i}) for some R. We denote as A1 the part of the algorithm A that corresponds to the training stage of the experiment, i.e. before the output of challenge, while with A2 we denote A’s steps after the receipt of the response. Together with the challenge pair (R0 , R1 ), A1 outputs a random variable state. We construct a PPT adversary B that breaks definition priv-st as follows: B runs A1 until he outputs the challenge pair (R0 , R1 ) together with state. Then B makes a guess j ∈ {0, . . . , k − 2} and challenges the corresponding pair. Due to the structure of the sequence, if j ∈ {0, . . . m − 1} B challenges (Pj+1 , Pj ), otherwise challenges (Pj , Pj+1 ). The received response is provided together with state to A2 . Then, if j ∈ {0, . . . , m − 1} B outputs the complement of A2 ’s output, otherwise outputs A2 ’s output. We conclude that B breaks definition priv-st with advantage α/(k − 1) which is at least α/n. 

3

Lower bounds for Atomic Broadcast Encryption schemes

Definition 2. An atomic broadcast encryption scheme with n receivers is defined as a tuple of algorithms (KeyGen, Encrypt, Decrypt) : – KeyGen: On input 1n , 1λ , it generates the set of keys (ek, SK1 , ..., SKn ), where ek is the encryption key and SKi is the decryption key assigned to a user i. Each decryption key SKi is a set which consists of elements {skij }`j=1 (we call those atomic keys) for some value ` which is not necessarily the same for each user. It also produces the description of a language L which encodes all the possible subsets of users that may be provided as input to the encryption function. – Encrypt: On input a message m, the encryption key ek and a revocation instruction R ∈ L, it outputs a ciphertext C such that C ← Encrypt(ek, m, R) which among possibly other values, contains a number of components c1 , ..., cρ (we call those the atomic ciphertexts of C). – Decrypt: On input a ciphertext C, such that C ← Encrypt(ek, m, R) and a decryption key SKi : It outputs m if i ∈ / R and some value x 6= m if i ∈ R. Depending on the instantiation, x could be the symbol ⊥, or some plaintext sampled independently of m.

Lower bounds for Private Broadcast Encryption

7

For atomic broadcast encryption schemes we further assume the existence of a deterministic algorithm called Decryptmatching which matches the atomic ciphertexts of a ciphertext tuple C with the atomic keys under which they are decrypted. In all cases we know, this algorithm is in part of the Decryption algorithm. Proposition 1. The broadcast encryption schemes that rely on the subset cover framework [14] are atomic. The private schemes of [3] are atomic. Given that in this section we will provide lower bounds, we provide a weaker definition of privacy which departs from definition priv-eq in the existence of the CorruptOracle and DecryptionOracle in the security experiment. More precisely, the adversary is not given access to a Decryption Oracle and instead of being provided access to a Corruption Oracle, he is given access to an Atomic Decryption Oracle which operates as follows:  0 if no atomic ciphertext in C is supposed to be decrypted     under the key skjt  AtDecOr(j, t, C) = ⊥ if the number of keys in the set SKj are less than t   1 if there exists an atomic ciphertext that can be decrypted    under the key skjt AtDecOr(j, t, C) EncryptionOracle(R) retrieve ek E ← E ∪ {(j, t)} r m←M return x ∈ {0, 1, ⊥} c ← Encrypt(ek, m, R) return (c, m) -eq-at (1n , 1λ ) Experiment Exppriv A (ek, K1 , . . . , Kn ) ← KeyGen(1n , 1λ ) T←∅ (state, R0 , R1 ) ← AAtDecOr(·),EncryptionOracle(·) (1λ ) r b ← {0, 1} r m←M ∗ c ← Encrypt(ek, m, Rb ) b∗ ← AAtDecOr(·),EncryptionOracle(·) (guess, (c∗ , m), state) if ∃(i, ·) ∈ E such that i ∈ (R0 4R1 )) ∨ (|R0 | = 6 |R1 |) then output a random else if b = b∗ then return 1 else 0; -eq-at is defined identically to Exppriv-eq with the oracle The experiment Exppriv A A AtDecOr substituting the corruption and decryption oracles. Definition 3. Let Φ be a broadcast encryption scheme with n receivers. We say that Φ is private priv-eq-at, if for all PPT adversaries A, priv-eq-at n λ Prob[ExpA (1 , 1 ) = 1] ≤

1 + ε, 2

8

Aggelos Kiayias and Katerina Samari

where ε is a negligible function of λ and λ the security parameter. The following proposition is easy: Proposition 2. Any broadcast encryption scheme Φ that satisfies privacy definition priv-eq, does also satisfy privacy definition priv-eq-at. Proof. It is easy to see that assuming the existence of a PPT adversary A that has non-negligible advantage in breaking privacy definition priv-eq-at, there is a PPT adversary B that breaks privacy definition priv-eq with the same advantage as A executing A inside him. The proof relies on the fact that B can perfectly answer the queries submitted by A to the Atomic Decryption Oracle because of his access to a Corruption Oracle. Theorem 2. (Lower bound for atomic schemes) Let Φ be an atomic broadcast encryption scheme and suppose that there exists an enabled set S ⊆ [n] such that the number of atomic ciphertexts included in the prepared ciphertext CS are less than |S|. Then, the scheme is not private according to definition priv-eq-at. Proof. We will assume that for every R the atomic ciphertexts produced by the algorithm Encrypt are always decrypted under the same set of atomic keys (in the other case, if the algorithm Encrypt flips a number of coins in order to decide the atomic keys that will be used, then the same argument we present below can take place with the only difference that in this case the adversary will have to run a number of times the algorithm Encrypt for the set R0 to approximate the distribution). Let us assume that there exists such a set S0 and let CS0 be a ciphertext produced by the algorithm Encrypt on input ek, m, R0 with R0 = [n] \ S0 . Then, according to the pigeonhole principle, there exists at least one atomic ciphertext ck in the ciphertext CS0 that can be decrypted by at least two users i, j ∈ [n]. As a result, the ciphertext ck can be decrypted under an atomic key skm which is a member of both sets SKi , SKj , where SKi , SKj are the sets of atomic decryption keys of i and j accordingly. Given this, an adversary A that breaks privacy can be constructed following the logic presented below: 1. If i, j ∈ [n] are two users which decrypt the same atomic ciphertext in a ciphertext tuple CS0 , where CS0 ← Encrypt(ek, m, R0 ), select a set R1 such that |R1 | = |R0 |, i ∈ R1 and j ∈ / R1 . Choose arbitrarily the other |R1 | − 1 members of R1 and challenge R0 , R1 . 2. When the response C ∗ is received, issue a query R0 to the Encryption Oracle which is replied with a ciphertext C. 3. Submit a number of queries of the form (j, t, C) to the Atomic Decryption Oracle, for all the possible values of t, starting form t = 1, until AtDecOr returns ⊥. If we ignore the symbol ⊥, the output of this procedure is a bitstring x1 of length s, where s is the number of atomic keys included in the decryption key of SKj . 4. Repeat the same procedure submitting queries on inputs of the form (j, t, C ∗ ) and obtain a bitstring x2 of length k (note that this is allowed since j is enabled in both challenge ciphertexts). If x1 6= x2 , then answer 1 else 0. 

Lower bounds for Private Broadcast Encryption

9

Corollary 1. Any atomic broadcast encryption scheme with n receivers and ciphertext length less than n cannot be private according to definition priv-full. Proof. If R = ∅ and the atomic ciphertexts are less that n, the assumption of the Theorem 2 takes place for S = [n]. It is easily observed that the fact that the challenge sets R0 , R1 were of equal length played no crucial role in the proof of Theorem 2. Thus, we can apply exactly the same arguments with R = ∅ being the one set in the challenge. Corollary 2. For any atomic broadcast encryption scheme Φ with n receivers which is private according to priv-eq definition, it holds that for any enabled set S ⊆ [n], the ciphertext length is Ω(k · |S|) bits, where k is the maximum size of an atomic ciphertext. For any broadcast encryption scheme which is private according to priv-full definition, the ciphertext length is Ω(k·n) for all the enabled sets S ⊆ [n].

4

Constructions of Atomic Private Broadcast Encryption Schemes

In this section, we present matching schemes for the lower bounds of the previous section. We focus on CCA-1 security for simplicity but our results can be easily extended to CCA-2 security. Due to lack of space most of our results are presented without proofs; full proofs are presented in the full version. We first consider security in the sense of key encapsulation mechanisms (KEM) defined with the aid of the following experiment: (1λ ) Experiment ExpKEM A Select k at random. aux ← AEnck (·),Deck (·) r m0 , m1 ← M; r b ← {0, 1}; c ← Enck (mb ) b∗ ← AEnck (·) (m1 , c) if b = b∗ then return 1 else 0; Definition 4. We say that the symmetric encryption scheme (Gen, Enc, Dec) is KEM -secure if for any probabilistic polynomial time adversary A it holds that Prob[ExpKEM (1λ )] ≤ A

1 + ε, 2

where ε is a negligible function of λ. Experiment ExpBE−KEM (1n , 1λ ) A (ek, K1 , . . . , Kn ) ← KeyGen(1n , 1λ ) T←∅ R ← ACorruptOracle(·),EncryptionOracle(·),DecryptionOracle(·) (·) r b ← {0, 1}

10

Aggelos Kiayias and Katerina Samari r

m0 , m1 ← M c∗ ← Encrypt(ek, mb , R) b∗ ← AEncryptionOracle(·) (c∗ , m1 ) If T * R then output a random bit else if b = b∗ then return 1 else 0; Definition 5. Let Φ be a broadcast encryption scheme with n receivers. We say that a broadcast encryption scheme Φ is KEM-secure if for any probabilistic polynomial time adversary A it holds that (1n , 1λ ) = 1] ≤ Prob[ExpBE−KEM A

1 + ε, 2

where ε is a negligible function of λ. Experiment Expkey-priv (1λ ) A

Select k0 ← Gen(1λ ); k1 ← Gen(1λ ) aux ← AEnck0 (·),Enck1 (·),Deck0 (·),Deck1 (·) r m←M r b ← {0, 1};c ← Enckb (m) b∗ ← AEnck0 (·),Enck1 (·) (m, c) if b = b∗ then return 1 else 0; Definition 6. We say that the symmetric encryption scheme (Gen, Enc, Dec) is key private if for any probabilistic polynomial time adversary A it holds that -priv (1λ )] ≤ Prob[Expkey A

1 + ε, 2

where ε is a negligible function of λ. Scheme 1. This scheme is defined as a tuple of algorithms (KeyGen, Encrypt, Decrypt) which are described below. A basic component of the scheme is the underlying symmetric encryption scheme (Gen, Enc, Dec). – KeyGen : On input 1n , 1λ : • For any user i ∈ [n] run the algorithm Gen(1λ ) which generates a key ki . The encryption key is ek = {kj }j∈[n] . – Encrypt: On input a message m and a revoked set R: • By employing the scheme (Gen, Enc, Dec) compute a ciphertext tuple c as follows: For each i ∈ [n] \ R compute Encki (m). Perform a random permutation f to the ciphertext components which results to a ciphertext tuple of length s, where s is the cardinality of the set [n] \ R. – Decrypt: On input a ciphertext c = hc1 , ..., cs i and a key ku : • Starting from c1 , try to decrypt each ciphertext component under the key ku . If there exists cj that is supposed1 to be decrypted by u, return Decku (cj ). 1

In order to determine this strong correctness is required; this notion means that applying a wrong key to a ciphertext results to a special fail message to be returned. This can be achieved e.g., by appending a value H(M ) to all plaintexts M (here H is a hash function); we omit further details.

Lower bounds for Private Broadcast Encryption

11

Scheme 2. This scheme is defined as a tuple of algorithms (KeyGen, Encrypt, Decrypt) which we describe below. A basic component of the scheme is the underlying symmetric encryption scheme (Gen, Enc, Dec). – KeyGen : On input 1n , 1λ : • For any user i ∈ [n] run the algorithm Gen(1λ ) which generates a key ki . The encryption key is ek = {kj }j∈[n] . – Encrypt: On input a message m and a revoked set R: • By employing a scheme (Gen, Enc, Dec) compute a ciphertext tuple c of length n as follows: For any user i ∈ [n], if i ∈ R choose randomly a message m0 ∈ M, compute Eki (m0 ) and place Eki (m0 ) at the i-th position. If i ∈ / R, compute Encki (m) and place it to the i-th position. – Decrypt: On input a ciphertext c = hc1 , ..., cn i and a key ku of a user u: • Compute Decku (cu ). Theorem 3. If Scheme 1 satisfies that the underlying scheme (Gen, Dec, Enc) key-private then Scheme 1 is private according to the definition priv-eq. Theorem 4. If Scheme 2 is a broadcast encryption scheme in which the underlying scheme (Gen, Dec, Enc) is KEM -secure, then Scheme 2 is private according to definition priv-full. It remains to show that the broadcast encryption schemes Scheme 1 and Scheme 2 are BE-KEM-secure, i.e. they are secure under the definition 5. The proofs of security are similar and we prove this only for Scheme 2. Theorem 5. If the underlying encryption scheme (Gen, Enc, Dec) is KEM-secure then Scheme 2 is BE-KEM secure. Proof. Let A be a PPT adversary that breaks BE-KEM security such that Prob[ExpBE−KEM (1n , 1λ ) = 1] ≥ 21 + α, for α non-negligible. We define a seA A A BE−KEM quence of experiments ExpA . 0 , ..., Expn , where Exp0 is the experiment ExpA A A We define as Expv the experiment which operates exactly as Exp0 modified in a way that the first v enabled users will be given encryptions of randomly chosen plaintexts rather than the encryption of the appropriate plaintext. If s is the size of the enabled set, for v = s, s + 1, ..., n the experiments are the same. A Now, let p0 = Prob[ExpA 0 = 1] and p1 = Prob[Exp1 = 1]. Moreover, let B be an attacker against KEM-security of the scheme (Gen, Enc, Dec). B guesses i to be the user he will play ExpKEM and then running n − 1 times the algorithm B Gen(1λ ) he generates the private keys for the other users. When A challenges R, B checks whether i is the first enabled user and returns 0 if this does not hold. Otherwise, when B receives (m1 , Enck (mb )), he places Enck (mb ) at the first position and then chooses randomly a message m0 from the plaintext space and flips a perfect coin b0 . B sets m0b0 = m1 and m01−b0 = m0 and encrypts the message m0b0 for the enabled users except for i. B encrypts a message m00 for the revoked users which is randomly chosen from the plaintext space. B always sends to A the message m01 together with the prepared ciphertext tuple.

12

Aggelos Kiayias and Katerina Samari

1 +ε, it can be proven 2 that p0 −p1 ≤ 2n·ε. Similarly, we have that for all i ∈ {0, 1, .., n}, pi −pi+1 ≤ 2n·ε. Summing these relations for both sides, we have that p0 − pn ≤ 2n2 · ε. Because 2 of pn = 1/2, it holds that Prob[ExpA 0 = 1] − 1/2 ≤ 2n · ε, which contradicts the initial assumption.  Due to the fact that for all B, Prob[ExpKEM (1λ ) = 1] ≤ B

5

Lower Bounds for general broadcast encryption schemes

We now turn our attention to the setting of general, unrestricted broadcast encryption schemes. We will prove that any scheme that is private in the sense of priv-st, priv-full has ciphertext length that with reasonably high probability is linear. We denote as |x|, the number of bits of the value x. Theorem 6. For all the sets R ⊆ [n], we define the random variable SR : Encrypt(ek, m, R) → |Encrypt(ek, m, R)|, where ek is an encryption key and m is a plaintext chosen from a message space M. Suppose that Φ is a broadcast encryption scheme with n receivers, and let R, R0 be two sets. If Φ is private according to priv-full definition, then for all R, R0 ⊆ [n] and for all the PPT statistical tests D, it holds that ∆D [SR , SR0 ] < ε. Proof. Suppose that there exists a pair of sets R, R0 and a PPT statistical test D such that ∆D [SR , SR0 ] ≥ α, with α non-negligible. Then, a PPT adversary A breaks definition priv-full with advantage at least α/2 following the steps below. Phase 1: Challenge R, R0 . Phase 2: On input hm, Encrypt(ek, m, Rb )i: – Compute |Encrypt(ek, m, Rb )|. – Run D on input |Encrypt(ek, m, Rb )|. – Return the output of D. The adversary can execute the algorithm D a number of times in order to understand whether it is biased to 1 on input SR or vice versa. Without loss of generality we assume that D returns 1 with greater probability in case of input |Encrypt(ek, m, R0 )|. As a result, we have that Prob[D(SR0 ) = 1] − Prob[D(SR ) = 1] ≥ α. We note that if D is biased to 1 on input SR we can consider the adversary A in order to obtain the same results.   -full (1λ ) = 1] = 1 Prob[Exppriv-full = 1|b = 0] + Prob[Exppriv-full = 1|b = 1] Prob[Exppriv A A A 2  1 = Prob[D(SR ) = 0] + Prob[D(SR0 ) = 1] 2 1 α ≥ + . 2 2 

Lower bounds for Private Broadcast Encryption

13

Next, we will prove a lower bound on the ciphertext size that any private broadcast encryption scheme can achieve. Our proof is based on a standard information theoretic fact (cf. [5]), which is presented below: Fact 1 Suppose there is a randomized procedure Enc : {0, 1}n × {0, 1}r → {0, 1}m and a decoding procedure Dec : {0, 1}m × {0, 1}r → {0, 1}n such that Probr∈Ur [Dec(Enc(x, r), r) = x] ≥ δ. 1 Then, m ≥ n − log . δ Theorem 7. Let Φ be a broadcast encryption scheme with n receivers and let ε(λ) be the upper bound of all the probabilities Prob[ER,i ]. For any R ⊆ [n] and i ∈ [n], we denote as ER,i the event (Decrypt(SKi , c) 6= m ∧ i ∈ / R) ∨ (Decrypt(SKi , c) = m ∧ i ∈ R), where c = Encrypt(ek, m, R). If for any λ there exists some β for which ε(λ) < β 1 − , then there exists a set R ⊆ [n] such that Prob[SR ≥ n] > β. 2n n Proof. Recall the definition of SR : SR : Encrypt(ek, m, R) → |Encrypt(ek, m, R)|. We define a procedure f which is an encoding procedure of a set R ⊆ [n], while f −1 is a decoding procedure. The procedure f is a randomized procedure that takes as input two arguments ρ ∈ {0, 1}r and R ⊆ [n] and outputs ψ. We note that ρ depends on the security parameter λ and represents all the coins needed in order for the system to setup and the encryption. The procedures f and f −1 are defined as follows: f (ρ, R): 1. Using ρ, compute a message m and the key ek which will be used by the encryption algorithm. 2. Compute Encrypt(ek, m, R). 3. If |Encrypt(ek, m, R)| ≥ n, output 0n−1 else Encrypt(ek, m, R). f −1 (ψ, ρ): 1. Use ρ to compute SK1 , ..., SKn . 2. Execute the following algorithm: R := ∅. For i = 1 to n if Decrypt(SKi , ψ) 6= m then R := R ∪ {i} else R. Considering the definition of the decoding procedure, we say that f −1 fails when its result is R0 6= R, given that R is the encoded set. This happens either in case an event ER,i takes place or the output of f is 0n−1 . With δ we denote the probability that the procedure f −1 succeeds.

14

Aggelos Kiayias and Katerina Samari

In order to prove the theorem, we assume that for any λ for which there exists 1 β a β such that ε(λ) < − it holds that Prob[SR ≥ n] ≤ β for all R ⊆ [n]. Let us 2n n fix a value λ. From the above assumption, we have that Prob[f outputs 0n−1 ] ≤ β which subsequently means that Prob[f −1 fails ] ≤ n · ε(λ) + β. Consequently, we have that δ ≥ 1 − n · ε(λ) − β. Due to the fact that the length of the encoding produced by f −1 is always n − 1 bits at most, using the fact 1, we have that n − 1 ≥ n − log

1 β 1 ⇒ ε(λ) ≥ − , δ 2n n

which is a contradiction.

(1) 

Lemma 2. Let Φ be a private broadcast encryption scheme with n receivers and λ a security parameter for which β < 1/2 and β non-negligible in λ. Then, for all R ⊆ [n], it holds that Prob[SR ≥ n] ≥ α, for α non-negligible. Proof. We assume that there exists a set R0 such that Prob[SR0 ≥ n] < δ, where δ is a negligible function of λ. We construct the following statistical test D: D: On input SR : If SR ≥ n return 1 else return 0. According to the Theorem 7, we have that there exists a set R1 for which Prob[SR1 ≥ n] > β. As a result, we have that Prob[D(SR1 ) = 1] − Prob[D(SR0 ) = 1] > β − δ, which is non-negligible. This contradicts to Theorem 6.



Corollary 3. For any broadcast encryption scheme Φ which is private in the sense of definition priv-full,priv-st, the ciphertext is of length Ω(n + k). The additive factor k stems from the fact that at least one ciphertext should be present in the encryption of a message m for any enabled set S.

6

Conclusion

The provided lower bounds highlight the high costs that privacy may incur for broadcast encryption schemes. The fact that privacy for atomic schemes requires a linear number of ciphertexts in the number of users, leaves essentially no room for improvement in terms of the ciphertext size. If the objective is to attain full privacy, this result suggests that our attention should be turned to nonatomic schemes. In the non-atomic case, our lower bound is much weaker. It is thus an interesting open problem to design a fully private scheme with sublinear ciphertext size.

Lower bounds for Private Broadcast Encryption

15

References 1. AACS , http://www.aacsla.com/ 2. Attrapadung, N., Imai, H.: Graph-decomposition-based frameworks for subsetcover broadcast encryption and efficient instantiations. In: Roy, B.K. (ed.) ASIACRYPT. Lecture Notes in Computer Science, vol. 3788, pp. 100–120. Springer (2005) 3. Barth, A., Boneh, D., Waters, B.: Privacy in encrypted content distribution using private broadcast encryption. In: Crescenzo, G.D., Rubin, A.D. (eds.) Financial Cryptography. Lecture Notes in Computer Science, vol. 4107, pp. 52–64. Springer (2006) 4. Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 3621, pp. 258–275. Springer (2005) 5. De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against oneway functions and prgs. In: Rabin, T. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 6223, pp. 649–665. Springer (2010) 6. Delerabl´ee, C.: Identity-based broadcast encryption with constant size ciphertexts and private keys. In: Kurosawa, K. (ed.) ASIACRYPT. Lecture Notes in Computer Science, vol. 4833, pp. 200–215. Springer (2007) 7. Dodis, Y., Fazio, N.: Public key broadcast encryption for stateless receivers. In: Feigenbaum, J. (ed.) Digital Rights Management Workshop. Lecture Notes in Computer Science, vol. 2696, pp. 61–80. Springer (2002) 8. Fazio, N., Perera, I.M.: Outsider-anonymous broadcast encryption with sublinear ciphertexts. In: Fischlin et al. [10], pp. 225–242 9. Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 773, pp. 480–491. Springer (1993) 10. Fischlin, M., Buchmann, J., Manulis, M. (eds.): Public Key Cryptography - PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, May 21-23, 2012. Proceedings, Lecture Notes in Computer Science, vol. 7293. Springer (2012) 11. Goodrich, M.T., Sun, J.Z., Tamassia, R.: Efficient tree-based revocation in groups of low-state devices. In: Franklin, M.K. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 3152, pp. 511–527. Springer (2004) 12. Halevy, D., Shamir, A.: The lsd broadcast encryption scheme. In: Yung, M. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 2442, pp. 47–60. Springer (2002) 13. Libert, B., Paterson, K.G., Quaglia, E.A.: Anonymous broadcast encryption: Adaptive security and efficient constructions in the standard model. In: Fischlin et al. [10], pp. 206–224 14. Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 2139, pp. 41–62. Springer (2001) 15. Shoup, V.: A proposal for an iso standard for public key encryption. IACR Cryptology ePrint Archive 2001, 112 (2001) 16. Wang, P., Ning, P., Reeves, D.S.: Storage-efficient stateless group key revocation. In: Zhang, K., Zheng, Y. (eds.) ISC. Lecture Notes in Computer Science, vol. 3225, pp. 25–38. Springer (2004)